Method and system for secure data processing in an insecure runtime environment

What is AI technical title?
AI technical title is built by PatSnap AI team. It summarizes the technical point description of the patent document.
By employing cryptographic encryption, integrity checking, and parallel data processing with runtime monitoring, the method maintains security integrity during data exchange between secure and insecure systems, facilitating reliable data processing in hybrid environments.

WO2026124706A1PCT designated stage Publication Date: 2026-06-18DEUTSCHE BAHN AG

View PDF 0 Cites 0 Cited by

Patent Information

Authority / Receiving Office: WO · WO
Patent Type: Applications
Current Assignee / Owner: DEUTSCHE BAHN AG
Filing Date: 2024-12-13
Publication Date: 2026-06-18

Application Information

Patent Timeline

13 Dec 2024

Application

18 Jun 2026

Publication

WO2026124706A1

IPC: G06F21/52; G06F21/57; G06F21/64

AI Tagging

Application Domain

Digital data protection Platform integrity maintainance

Explore More Agents

Novelty Search
Search existing technologies and assess novelty
↗
FTO
Analyze whether a product may infringe others' patents
↗
Design FTO
Check prior-design risk for exterior design
↗
Drafting
Draft patent application text based on a technical solution
↗
Find Solutions with TRIZ
Generate feasible solution to solve your technical challenge
↗

Similar Technology Patents

Get free access to AI patent search and analysis

Check patentability, review prior art and ask IP Agent with full patent context.

Smart Images

Figure DE2024101072_18062026_PF_FP_ABST

Patent Text Reader

Abstract

The invention relates to a method for processing primary data generated in an operating technology computer system (OT) in an insecure computer system (IT) with an insecure runtime environment, which enables an original security integrity level of primary data acquired in the context of generation in an operating technology computer system to be maintained even for the result data resulting from the processing thereof in an insecure computer system. According to the invention, this is achieved, inter alia, by virtue of the fact that (a) the data processing of the communication and decryption unit (ITKE) and the first checking unit (ITPR-1), (b) and the data processing of the first checking unit (ITPR-1), the first and second data processing devices (ITDV-1, ITDV-2), the second checking unit (ITPR-2), the back-up unit (ITSI) and the back-up and checking unit (ITSP) are monitored by means of at least one first runtime monitoring unit (ITLÜ) in the insecure computer system (IT), and each first runtime monitoring unit (ITLÜ) of the insecure computer system (IT) is monitored by means of at least one second runtime monitoring unit (SILÜ) in a secure computer system with a secure runtime environment (SIL).

Need to check novelty before this filing date? Find Prior Art

Description

[0001] Methods and systems for secure data processing in an unsafe runtime environment

[0002] The invention relates to a computer-implemented method for the secure processing of primary data generated in an operational computer system in an insecure computer system with an insecure runtime environment, wherein in the operational computer system

[0003] ■ in a first process step the primary data is generated using at least one data source,

[0004] ■ in a second process step, the primary data is supplemented with additional security data using at least one backup unit,

[0005] ■ in a third process step, a security code is generated for this primary and security data by means of at least one security and verification unit, and its integrity is checked using this security code, as well as a data processing system configured analogously for this purpose, comprising at least one operational computer system and at least one insecure computer system with an insecure runtime environment, wherein the operational computer system comprises:

[0006] ■ at least one primary data source,

[0007] ■ at least one backup unit to supplement the primary data with additional security data,

[0008] ■ at least one security and verification unit for generating a security code over the primary and security data and for verifying their integrity using this generated security code,

[0009] ■ at least one encryption and communication unit for cryptographic encryption of the primary and security data and the security code, and their transmission to the insecure computer system.

[0010] In the context of the present invention, an "operational technology computer system" is understood to be a hardware and software system designed for controlling or regulating, in particular, industrial technical equipment or processes, for which the English generic term "Operational Technology" or the acronym "OT" has become established. Therefore, in the context of the present invention, "operational technology computer systems" and "Operational Technology" systems are to be understood as synonyms. Typical application areas of such "operational technology computer systems" or "Operational Technology" systems or OT systems are control or regulation systems for power plants, railway systems, industrial production plants, vehicles, aircraft, and much more. Typical simple examples of these are programmable logic controllers (PLCs), CNC machine controls, SCADA systems, etc.

[0011] Many software and hardware systems used as "operational technology" (OT) systems are subject to increased requirements regarding their reliability, availability, maintainability, and security, including protection against external attacks. Therefore, they are developed according to defined information technology methods to achieve a defined level of security integrity. These information technology methods and the security integrity levels achievable through their application are standardized for many OT application areas, for example, in the ISO 26262 series of standards for road vehicles, derived from the overarching ISO 61508 series, or the corresponding standards for railway applications, such as EN 50126, TS 50701, EN 50159, EN 50129, EN 50155, EN 50716, EN 50128, or EN 50657.To achieve a normatively defined security integrity level, all technological components (i.e., the entire so-called "technology stack") of a software and hardware system must be developed in accordance with the standard. In the context of the present invention, such a software and hardware system is referred to as a "secure computer system," in contrast to an "insecure computer system" developed in a non-compliant manner. Therefore, in the context of this invention, an "insecure computer system" is understood to be any computer system that does not meet the aforementioned conditions of a "secure computer system."

[0012] However, even when using a software and hardware system that is developed in accordance with standards – in itself – in an insecure runtime environment (for example, in conjunction with an insecure operating system), errors cannot be ruled out. Therefore, such a software and hardware system, despite its initial standard-compliant development, must still be considered an insecure computer system. Standards-compliant secure systems are thus often closed systems (i.e., without the possibility of data exchange with other software and hardware systems) or have only very limited communication capabilities with other software and hardware systems. In particular, when exchanging data between a secure software and hardware system and a (potentially or actually) insecure software and hardware system, the functions and data executed by the insecure system must be considered.The data is processed and provided without adhering to the security integrity level defined and required by the standard. As a result, the data integrity of such data exchange is not guaranteed.

[0013] This complicates the digitization of use cases that require the exchange of data, initially generated under a defined security integrity level as described above, with applications in insecure runtime environments, as this can result in a loss of that original security integrity level. This particularly hinders the digitization of use cases based on data exchange between an operational technology computer system and software and hardware systems networked in a cloud. Examples include status data, energy consumption data, and position or movement data of a rail vehicle used for automating its operation or maintenance.

[0014] The invention is therefore based on the technical problem of providing a generic computer-implemented method or system for processing primary data generated in an operational computer system in an insecure computer system with an insecure runtime environment, which enables the retention of an original security integrity level of primary data acquired in the context of generation in an operational computer system also for the result data resulting from their processing in a computer system with an insecure runtime environment.

[0015] This is solved according to the invention in a process-oriented manner by receiving and decrypting the cryptographically encrypted data from the at least one encryption and communication unit of the operational computer system in a fifth process step in the insecure computer system by means of a communication and decryption unit.

[0016] ■ in a sixth process step, the integrity of the decrypted primary and security data is checked using a first testing unit with the decrypted security code,

[0017] ■ in a seventh process step, the decrypted primary and security data are processed using first and second data processing facilities, whereby the data processing in the first and second data processing facilities is independent of each other and functionally diverse,

[0018] ■ in an eighth process step, the plausibility of the first result data generated by the first data processing unit is checked with regard to the second result data generated by the second data processing unit by means of a second testing unit,

[0019] ■ in a ninth process step, the initial result data is supplemented with additional security data by means of a backup unit,

[0020] ■ In a tenth process step, a security code is generated using a security and verification unit for the initial result data and its supplementary security data, and their integrity is verified using this security code, whereby at least one initial runtime monitoring unit is used in the insecure computer system

[0021] (a) the data processing of the communication and decryption unit and the first test unit,

[0022] (b) and the data processing of the first test unit, first and second data processing units, second test unit, backup unit, and backup and test unit are monitored, and each first runtime monitoring unit of the insecure computer system is monitored by means of at least one second runtime monitoring unit in a secure computer system with a secure runtime environment. From a device-oriented perspective, this is achieved according to the invention by the fact that the insecure computer system comprises:

[0023] ■ at least one communication and decryption unit for receiving the cryptographically encrypted data from the at least one encryption and communication unit of the operational computer system and for decrypting it,

[0024] ■ at least one initial verification unit for checking the integrity of the decrypted primary and security data using the decrypted security code,

[0025] ■ at least first and second data processing facilities for processing the decrypted primary and security data, wherein the data processing in the first and second data processing facilities is independent of each other and functionally diverse,

[0026] ■ at least one second test unit for checking the plausibility of the first result data generated by the first data processing unit in relation to the second result data generated by the second data processing unit,

[0027] ■ at least one backup unit to supplement the initial result data with additional security data,

[0028] ■ and at least one security and verification unit for generating a security code over the initial result data and its supplementary security data, and for verifying their integrity using this security code, wherein the insecure computer system has at least one initial runtime monitoring unit for monitoring

[0029] (a) the data processing of the communication and decryption unit and the first test unit,

[0030] (b) and the data processing of the first test unit, first and second data processing units, second test unit, backup unit, and backup and test unit, and comprising at least one second runtime monitoring unit configured to monitor the at least one first runtime monitoring unit of the insecure computer system in a secure computer system with a secure runtime environment. In this way, end-to-end data protection can be implemented, which begins with data generation in the secure operational computer system and extends, by means of plausibility checks and monitoring functionalities according to the invention, over the entire processing chain in the computer system belonging to the insecure runtime environment.

[0031] This enables the combination of a secure computer system with a computer system belonging to an insecure runtime environment to form a hybrid computer system, such that the security integrity level of the primary data of the secure computer system is verifiable throughout the entire hybrid computer system. The trustworthiness of the primary data, represented by the security integrity level, can thus be extended to the trustworthiness of the result data of data processing in the computer system with the insecure runtime environment and ultimately ensured throughout the entire hybrid computer system.

[0032] The invention is based on the interplay of process steps and system components for detecting erroneous data or faulty data processing steps, as well as the hierarchical combination of potentially unsafe and safe runtime monitoring. In addition to the process steps and units located in the safe computer system, the second runtime monitoring component forms a second anchor point, also located in a safe computer system, for the logically interlocking techniques and measures for detecting and controlling errors in the hybrid system. In this way, errors in the processing of primary data or in runtime monitoring are detected in an unsafe software / hardware system.This creates the basis for exchanging and processing primary data generated in a secure software / hardware system with an insecure software / hardware system without compromising its original security integrity level established in the operational computer system. This enables the processing of primary data generated in secure computer systems in cloud-based systems with insecure runtime environments without compromising the security integrity level acquired by the primary data during its generation in the secure computer system. Limitations arise only with regard to strict real-time capability.In the context of the present invention, an operational technology computer system is understood to mean any software and hardware for which the term "operational technology" has become established in technical circles and which relates to data processing in the context of industrial control and regulation systems. Examples of such industrial control and regulation systems are: systems for the real-time control, monitoring, and control of rail vehicles or industrial machines and plants (e.g., SCADA systems; "Supervisory Control and Data Acquisition Systems"), process control systems (e.g., DCS; "Distributed Control Systems"), remote control devices (e.g., RTUs; "Remote Terminal Units"), programmable logic controllers (PLCs; "Programmable Logic Controllers"), and dedicated networks through which exclusively operational data (such as energy consumption data, status data, diagnostic data, position or motion data, etc.) are transmitted.Data is exchanged from such industrial data sources. Such operational technology computer systems typically meet very high requirements regarding the level of security integrity they must guarantee during data processing. The second runtime monitoring system essential to the invention must also fully meet these normative requirements for reliability, availability, maintainability, and security specified by the operational technology computer system. However, it does not necessarily have to be an integral part of this aforementioned operational technology computer system, but can alternatively be a component of another computer system with a secure runtime environment.

[0033] The invention also relates to a computer program product comprising a computer program which includes all process steps with the aforementioned features, and a computer-readable medium on which program sections executable by a computer unit are stored in order to execute all process steps with the aforementioned features when the program sections are executed by the computer unit.

[0034] The present invention is explained in more detail below with reference to an exemplary embodiment and the accompanying drawing. Figure 1 shows: a method according to the invention for processing primary data generated in an Operational Technology (OT) computer system in a computer system (IT) belonging to an uncertain runtime environment.

[0035] The operational technology computer system, or "Operational Technology" system, in the form of a railway vehicle control system (OT), comprises

[0036] ■ a data source designed as an OTSR control computer, set up for the secure generation of primary data, such as sensor-acquired position data of a rail vehicle on a rail network,

[0037] ■ a security unit (OTSI) set up to supplement the position data generated in the control computer (OTSR) with security data, such as an identifier uniquely identifying the security unit (OTSI),

[0038] ■ a security and verification unit (OTSP) set up to generate a security code over the primary and security data and to verify their integrity, for example by means of a cyclic redundancy check,

[0039] ■ an encryption and communication unit (OTVK) set up for cryptographic encryption of the primary and security data as well as the security code and subsequent transmission via a communication link to the computer system (IT) with an insecure runtime environment, for example by means of a cryptographic hash function (e.g. SHA or “Secure Hash Algorithm”) or a signature function (e.g. RSA or “Rivest-Shamir-Adleman”).

[0040] All the aforementioned units (OTSR, OTSI, OTSP, OTVK) of the railway vehicle control system (OT) and their respective runtime environments meet a defined safety integrity level, for example, SIL2 according to the standards EN 50126, EN 50129, EN 50716, EN 50128, or EN 50657. Thus, all data relevant for controlling the railway vehicle are acquired and processed within the railway vehicle control system (OT) at this safety integrity level of SIL2. The primary data generated in the control computer (OTSR) is transferred to the safety unit (OTSI) and supplemented there with additional safety data (e.g., timestamps, identifiers).Subsequently, the security and verification unit (OTSP) determines a security code using this primary and security data, checks the integrity of the primary and security data using the security code, and transfers the primary and security data and the security code to the encryption and communication unit (OTVK), which encrypts them and transmits them to the insecure computer system (IT).

[0041] In the context of this example, the insecure computer system (IT) is designed as a cloud and includes

[0042] ■ a communication and decryption unit (ITKE), equipped to receive and decrypt data received from the encryption and communication unit (OTVK) of the railway vehicle control system (OT),

[0043] ■ a first test unit (ITPR-1), set up to test the integrity of this decrypted data using the security code also received and decrypted by the train control system (OT),

[0044] ■ a first data processing unit (ITDV-1) and a second data processing unit (ITDV-2), both configured for processing data tested by the first testing unit (ITPR-1), wherein the data processing operations of both data processing units (ITDV-1, ITDV-2) are functionally distinct from each other, such as the determination of a change in position data of the rail vehicle using the first data processing unit (ITDV-1) and the determination of a possible change in position data based on condition data or models of the rail vehicle or the track using the second data processing unit (ITDV-2),

[0045] ■ a second test unit (ITPR-2), set up to check the plausibility (for example by comparing) the first result data generated by the first data processing unit (ITDV-1) (here for example in the form of sensor-determined change in position of the rail vehicle) in relation to the second result data generated by the second data processing unit (ITDV-2) (for example a model-based determined change in position of the rail vehicle).

[0046] ■ a security unit (ITSI) set up to supplement the initial result data with additional security data, a security and verification unit (ITSP) set up to generate a security code over the initial result data and its supplemented security data and to verify their integrity using this security code.

[0047] The primary and safety data, as well as the security code, generated in the train control system (OT) are received, decrypted, and reconstructed in the communication and decryption unit (ITKE) and transferred to the first verification unit (ITPR-1). This unit verifies the integrity of the decrypted data using the security code, which is also received and decrypted from the train control system (OT). If the verification is successful, the data is forwarded for parallel processing to two independent but functionally distinct data processing units (ITDV-1 and ITDV-2). This parallel processing can involve, on the one hand, the determination of a distance traveled based on position data by the first data processing unit (ITDV-1) and, on the other hand, the determination of a possible route based on model-based data by the second data processing unit (ITDV-2).The plausibility of the first result data generated by the first data processing unit (ITDV-1) (in relation to the second result data generated by the second data processing unit (ITDV-2)) is checked by means of a second test unit (ITPR-2) connected serially to the data processing unit. In the context of this embodiment, the aforementioned first result data is a change in the position of a rail vehicle determined on the basis of sensor signals (which are to be understood as "primary data" in relation to the invention), while the second result data is a change in the position of the rail vehicle determined on the basis of a model, whereby the first result data is compared against the second result data for the plausibility check.If this plausibility check is positive, the initial result data is supplemented with additional security data (e.g., timestamp, identifier) by the serially connected security unit (ITSI). A further serially connected security and verification unit (ITSP) generates a security code for the initial result data and its supplemented security data, as well as for verifying its integrity. The data processing of the primary data initially generated in the control computer (OTSR) of the rail vehicle control system (OT) is represented in Figure 1 by the data path with an uninterrupted line structure.

[0048] Furthermore, output data from the safety and test unit (ITSP) is fed back as input data to the first test unit (ITPR-1) (represented in Figure 1 by a secondary data path with a dash-dotted line structure).

[0049] Furthermore, in the insecure computer system (IT), a first runtime monitoring unit (ITLÜ) is used.

[0050] ■ the data processing in the communication and decryption unit (ITKE) and the first test unit (ITPR-1),

[0051] ■ and the data processing of the first test unit (ITPR-1), first and second data processing units (ITDV-1, ITDV-2), second test unit (ITPR-2), backup unit (ITSI), and backup and test unit (ITSP), wherein this first runtime monitoring unit (ITLÜ) is simultaneously monitored by at least one second runtime monitoring unit (SILÜ), which is part of a secure monitoring system (SIL). The process steps of the initial data processing in the insecure computer system (IT) up to and including the integrity check in the first test unit (ITPR-1), on the one hand, and the process steps of the subsequent further data processing in the insecure computer system (IT) on the other, are monitored separately and independently of each other by the first runtime monitoring unit (ITLÜ).The data flow associated with this monitoring in the first runtime monitoring unit (ITLÜ) and in the second runtime monitoring unit (SILÜ) is represented in Figure 1 by a data path with a dashed line structure.

[0052] If a first runtime monitoring unit (LMU) is part of an unsafe runtime environment, then the runtime monitoring itself must also be considered unsafe. Therefore, the invention provides for the monitoring of the first, unsafe runtime monitoring unit (LMU) by at least one second, but safe, runtime monitoring unit (SIL). The entire technology stack of such a second runtime monitoring unit (SIL) must meet the normative requirements for availability, reliability, maintainability, and safety. Alongside the fully safe units of the railway vehicle control (OT), the second runtime monitoring unit (SIL) thus forms a second anchor point for the logically interlocking functional devices for detecting and controlling errors in the hybrid system formed by the two computer systems with safe runtime environments (OT, SIL) and the computer system with an unsafe runtime environment (IT).

[0053] Reference symbol list:

[0054] OT rail vehicle control

[0055] OTSR control computer of the railway vehicle control (OT), set up for the secure generation of primary data

[0056] OTSI security unit, designed to supplement primary data generated in (OTSR) with security data

[0057] OTSP security and verification unit, set up to generate a security code over the primary and security data and to verify its integrity

[0058] OTVK encryption and communication unit

[0059] IT Cloud Application

[0060] ITKE Communication and Decryption Unit

[0061] ITPR-1 first testing unit, set up to test the integrity of the decrypted data

[0062] ITDV-1 was the first data processing facility, set up to process the decrypted data.

[0063] ITDV-2 second data processing unit, set up to process the decrypted data

[0064] ITPR-2 second test unit, set up to check the plausibility of the result data from (ITNF)

[0065] ITSI security unit, set up to supplement result data generated in (ITNF) with security data

[0066] ITSP security and testing unit, set up to generate a security code over the result and security data and to test its integrity

[0067] ITLÜ first runtime monitoring unit

[0068] SIL-safe monitoring system

[0069] SILÜ second runtime monitoring unit

Claims

Patent claims 1. Computer-implemented method for processing primary data generated in an operational technology (OT) computer system in an insecure computer system (IT) with an insecure runtime environment, wherein in the operational technology (OT) computer system ■ in a first process step the primary data are generated using at least one data source (OTSR), ■ in a second process step, the primary data is supplemented with additional security data using at least one backup security unit (OTSI), ■ in a third process step, a security code is generated using at least one security and verification unit (OTSP) for this primary and security data, and its integrity is checked using this security code, ■ in a fourth process step, the primary and security data as well as the security code are cryptographically encrypted by means of at least one encryption and communication unit (OTC) and transmitted to the insecure computer system (IT), characterized in that in the insecure computer system (IT) ■ in a fifth process step, the data cryptographically encrypted by the at least one encryption and communication unit (OT) of the operational computer system (OT) is received and decrypted by means of a communication and decryption unit (ITKE), ■ in a sixth process step, the integrity of the decrypted primary and security data is checked using a first verification unit (ITPR-1) with the decrypted security code, ■ in a seventh process step, the decrypted primary and security data are processed using first and second data processing facilities (ITDV-1, ITDV-2), whereby the data processing in first and second data processing facilities (ITDV-1, ITDV-2) is independent of each other and functionally diverse, ■ in an eighth process step, the plausibility of the first result data generated by the first data processing unit (ITDV-1) is checked with regard to the second result data generated by the second data processing unit (ITDV-2) by means of a second test unit (ITPR-2), ■ in a ninth process step, the initial result data are supplemented with additional security data by means of a security unit (I TS I), ■ In a tenth process step, a security code is generated using a security and verification unit (ITSP) based on the initial result data and its supplementary security data, and their integrity is verified using this security code, whereby at least one initial runtime monitoring unit (ITLÜ) is used in the insecure computer system (IT) (a) the data processing of the communication and decryption unit (ITKE) and first test unit (ITPR-1), (b) and the data processing of first test unit (ITPR-1), first and second data processing units (ITDV-1, ITDV-2), second test unit (ITPR-2), backup unit (ITSI) and backup and test unit (ITSP) are monitored and each first runtime monitoring unit (ITLÜ) of the insecure computer system (IT) is monitored by means of at least one second runtime monitoring unit (SILÜ) in a secure computer system with a secure runtime environment (SIL).

2. Data processing system (DP), comprising at least one operational technology (OT) computer system and at least one insecure computer system (IT) with an insecure runtime environment, wherein the operational technology (OT) computer system comprises: ■ at least one primary data generating data source (OTSR), ■ at least one backup unit (OTSI) to supplement the primary data with additional security data, ■ at least one security and verification unit (OTSP) for generating a security code over the primary and security data and for verifying their integrity using this generated security code, ■ at least one encryption and communication unit (OTVK) for cryptographic encryption of the primary and security data and the security code and their transmission to the insecure computer system (IT), characterized in that the insecure computer system (IT) comprises: ■ at least one communication and decryption unit (ITKE) for receiving the cryptographically encrypted data from the at least one encryption and communication unit (OTVK) of the operational computer system (OT) and decrypting it, ■ at least one first verification unit (ITPR-1) for verifying the integrity of the decrypted primary and security data using the decrypted security code, ■ at least first and second data processing facilities (ITDV-1, ITDV-2) for processing the decrypted primary and security data, wherein the data processing in first and second data processing facilities (ITDV-1, ITDV-2) is independent of each other and functionally diverse, ■ at least one second test unit (ITPR-2) for checking the plausibility of the data generated by the first data processing unit (ITDV-1) first result data in relation to the second result data generated by the second data processing unit (ITDV-2), ■ at least one backup unit (ITSI) to supplement the initial result data with additional security data, ■ and at least one security and verification unit (ITSP) for generating a security code over the initial result data and its supplementary security data, and for verifying their integrity using this security code, and wherein the insecure computer system (IT) has at least one initial runtime monitoring unit (ITLÜ) for monitoring (a) the data processing of the communication and decryption unit (ITKE) and first test unit (ITPR-1), (b) and the data processing of the first test unit (ITPR-1), first and second data processing units (ITDV-1, ITDV-2), second test unit (ITPR-2), backup unit (ITSI) and backup and test unit (ITSP), and includes at least one second runtime monitoring unit (SILÜ) set up to monitor the at least one first runtime monitoring unit (ITLÜ) of the insecure computer system (IT) in a secure computer system with a secure runtime environment (SIL).

3. Computer program product comprising a computer program which includes all steps of the method according to claim 1.

4. Computer-readable medium on which program sections executable by a computer unit are stored in order to execute all steps of the method according to claim 1 when the program sections are executed by the computer unit.